Ubiquiti patches three max severity UniFi OS vulnerabilities
Ubiquiti released security updates for three maximum-severity vulnerabilities in UniFi OS that allow unauthenticated remote attackers to compromise affected devices.
Ubiquiti has released security updates to patch three maximum severity vulnerabilities in UniFi OS that can be exploited by remote attackers without privileges. The flaws, tracked as CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, affect UniFi OS versions prior to 4.1.13 and include improper access control, path traversal, and command injection issues. Additionally, Ubiquiti patched a second critical command injection flaw (CVE-2026-33000) and a high-severity information disclosure bug (CVE-2026-34911) in the same advisory.
UniFi OS is a unified operating system that powers UniFi Consoles and helps manage IT infrastructure, including networking, security, and other services, as well as UniFi applications such as UniFi Network, UniFi Protect, UniFi Access, UniFi Talk, and UniFi Connect. The first flaw (CVE-2026-34908) enables attackers to make unauthorized changes to targeted systems by exploiting an Improper Access Control weakness, while the second (CVE-2026-34909) allows them to access files on the underlying system by abusing a Path Traversal vulnerability, which could be manipulated to access an underlying account. The third maximum severity security issue (CVE-2026-34910) makes it possible for malicious actors to launch a command injection attack after gaining network access by exploiting an Improper Input Validation vulnerability.
Ubiquiti has yet to disclose whether any of the five vulnerabilities were exploited in the wild before disclosure, but shared that they can be exploited in low-complexity attacks and were reported through its HackerOne bug bounty program. At the moment, threat intelligence company Censys is tracking nearly 100,000 Internet-exposed UniFi OS endpoints, most of them (nearly 50,000 IP addresses) found in the United States. However, there is currently no information on how many have been secured against potential attacks targeting the vulnerabilities Ubiquiti patched this week.
In March, Ubiquiti patched another maximum-severity flaw (CVE-2026-22557) in the UniFi Network Application that may allow attackers to take over user accounts, as well as a vulnerability (CVE-2026-22558) that can be exploited to escalate privileges. The company has been under pressure to improve its security posture as its products have become a frequent target for both state-backed hacking groups and cybercriminals.
Ubiquiti products have been targeted by both state-backed hacking groups and cybercriminals in recent years, in campaigns that hijacked them to build botnets that concealed the threat actors' malicious activity. For instance, in February 2024, the FBI took down Moobot, a botnet of hacked Ubiquiti Edge OS routers used by Russia's Main Intelligence Directorate of the General Staff (GRU) to proxy malicious traffic in cyberespionage attacks targeting the United States and its allies. Four years ago, in April 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added a critical command injection flaw (CVE-2010-5330) in Ubiquiti AirOS to its catalog of actively exploited vulnerabilities and ordered federal agencies to secure their devices within three weeks.
Users are urged to update their UniFi Network Application and UniFi OS firmware immediately to mitigate the risk of compromise. Given the large attack surface of nearly 100,000 exposed endpoints and the critical severity of these vulnerabilities, administrators should prioritize patching as soon as possible.